Home Affairs boss orders government-wide sweep for foreign cyber threats inside vulnerable technology

A comprehensive audit will be conducted into all internet-facing technology used by Commonwealth agencies over rising concerns about foreign interference and influence threats.

In a series of formal directions quietly issued late last week, Home Affairs Secretary Stephanie Foster has instructed each federal government body to identify and mitigate potential risks.

Under the formal instructions it will now also be mandatory for the Commonwealth's almost 200 entities and companies to share cyber threat information with the Australian Signals Directorate.

The three Protective Service Policy Framework (PSPF) directives are believed to be only the second time the binding powers have been used, with the first involving last year's ban of Chinese-owned application TikTok from Commonwealth devices.

On the same day the secretary's directions were issued, Home Affairs Minister Clare O'Neil also unveiled a series of new measures to counter foreign interference threats in the wider Australian community.

Under PSPF Direction 001-2024, government entities are told "to identify indicators of Foreign Ownership, Control or Influence (FOCI) risk as they relate to procurement and maintenance of technology assets and appropriately manage and report those risks".

"Foreign interference occurs when activity carried out by, or on behalf of, a foreign power, is coercive, corrupting, deceptive or clandestine, and contrary to Australia's sovereignty, values and national interests," the directive explains.

Government entities are told to "implement a process when undertaking procurement of technology assets to identify and manage potential FOCI risks" before June next year.

In the second directive Ms Foster orders "a technology asset stocktake on all internet-facing systems or services to identify all technology assets managed by, or on behalf of, the entity".

Additionally, Commonwealth entities are directed to "develop a technology security risk management plan for all internet-facing systems or services, as part of the entity's overall security plan".

According to the third directive it will now also be mandatory for all "Australian government entities using threat intelligence sharing platforms to share cyber threat information with the Australian Signals Directorate".

Details of how the threat mitigation activity will be funded have not been outlined and the Department of Home Affairs has so far not responded to questions from the ABC, but the directives have been welcomed by leading cyber security figures.

"These directions mark a significant step in Australia's journey to be the world's most secure nation by 2030," says Sarah Sloan, head of government affairs and public policy for Palo Alto Networks in Australia.

"The federal government, responsible for operating critical systems and safeguarding vital data, oversees the most essential functions of our nation — from delivering social security to ensuring national defence.

"It is imperative that these organisations lead in cybersecurity measures," Ms Sloan added, noting the requirement for a stocktake of internet-connected technology assets and services was particularly pertinent.

"This emphasis on attack surface management (ASM) is well placed. With the rapid expansion of digital footprints due to cloud adoption, digital transformation, and remote work, robust ASM is crucial".